IBM’s Container Service: Container Security, Applied

Republished from the Integrated{code} blog

It’s no surprise to anyone that container security is still a hotly debated and discussed topic across the cloud ecosystem. Much of the debate hinges on an understanding that the full benefit of container technologies is only realized in a container native bare metal deployment, but many implementations are hindered from this by a “safety net” of understood and vetted VM technology. Everyone from developers to IT execs to operators and admins want to know that a true container native future for their cloud virtualization strategy is a “safe bet” that won’t come back to bite them (and their customers, data, critical business processes..) in the end.

To that end, you can easily find blog posts, tech journal write-ups, conference talks, and more recently, a couple highly detailed “best practice” documents on container security topics. As a personal point of reference, a container security talk I gave at Docker London in July received over 8000 views on slideshare in just a few weeks!

One recent addition to the pile of resources on this hot security topic was published recently by The New Stack, a popular site for tech journalism on cloud computing topics, not to mention a regular producer of podcasts, interviews, and pancakes too, in case you visit any popular industry conference these days. The New Stack invited Bryan Cantrill, Joyent’s CTO, recently to discuss the state of container security on a podcast titled “Security Must be a Top Priority with Container Deployments.”

I’ve always thoroughly enjoyed Bryan’s engaging style and his thoughts on containers and this podcast does not disappoint. However, at minute 16:00 Bryan stated:

Certainly there is no cloud offering today that allows for two different tenants to run in two different containers on the same host that are mutually untrusted.Bryan Cantrill, Chief Technology Officer at Joyent

This caught my attention because this model, based on the Linux kernel isolation primitives as a substrate, is exactly what IBM’s own container cloud as a service is built upon. We built our cloud container native bare metal because, while much of the industry is busy opining about container security problems, we see it as our mission to jump in and help fix them. Bluemix, therefore, is our flagship demonstration that a container native bare metal cloud can be built.

We believe that Linux kernel-based isolation, along with the layers of security capabilities offered by Docker and the Linux ecosystem, some of which was contributed by IBM, are capable of providing this multi-tenant isolation for bare metal containers as required by our customers. We agree there is still work to do, but we are successfully operating a managed containers-as-a-service offering using these components, with open source contributions from IBM including:

…and many bug fixes and configured environmental protections too numerous to list. These open source contributions are in addition to technologies we are developing and delivering via our Bluemix container offering such as:

…and more to come. That isn’t to say that we don’t understand the continued need for improvement and development of further security enhancements in the Linux substrate, but we believe and are committed to continuing contributions to this stack of open source layers which are providing a performant and secure isolation layer for what we all call “Linux containers”, and we are offering it as a service to our IBM Cloud customers via Bluemix.

We are also continuing to look at new technologies like the lightweight virtualization work at the OCI/runc layer, and even showed a proof-of-concept at DockerCon Seattle of one such pluggable-runc on our POWER platform with hardware assisted lightweight virtualization. We will continue delivering what we believe is of most value to our customers and provides them with a secure and appropriately isolated tenant environment based on Linux kernel container technologies.

If you haven’t had a chance to try our our Bluemix container cloud offering, note that you can easily get a free-tier 30-day trial account. The Docker client API is fully supported as well as container groups, private registry as noted above, as well as our entire catalog of cloud services, including logging, monitoring, public IP routing, and many other features.

And thanks, Bryan, for providing a launchpad for me to show off what IBM is achieving in the cloud today with our managed bare metal container cloud offering. Still highly respect your thoughts in this area, but I wanted to take the opportunity to say that one company has gone ahead and said “I’ll do it first!”

Share this post:

Share on LinkedIn

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More Community Stories

Cloud Foundry and the value of cooperative competition

In this interview with the Bluemix blog, Sam Ramji, CEO at Cloud Foundry, explains the significance of the grand opening of the IBM Cloud Foundry Dojo in RTP, NC, how the organization balances corporate interests with running an open source project, how they position Cloud Foundry containers versus Docker containers, etc.

Need troubleshooting help? Got a how-to question?

Today's developers rely on search for problem resolution and how-to advice. Many of those searches land on Stack Overflow, a leader among technical community Q&A. Recognizing the importance of engaging with developers where they congregate online, the Bluemix development and support team is active on Stack Overflow, following the #bluemix tag.

Bringing your ideas to life in digital economy

Bringing your life-changing ideas to fruition needs a different mindset (and toolset) in the digital economy. The need for speed with digital innovation is more important than ever, with every start-up trying to push the envelope with their new ideas. In the digital economy, once you get an idea, you cannot afford to sit around and build it for years, not even months, like legacy enterprise software. Because you are a start-up with very limited funding, or you are an enterprise with big IT restrictions, it doesn’t mean you have to compromise on building world class solutions. We at IBM want to help you “Build your apps, and let you bring your ideas to life, your way.”